Sync documentation of main branch

_generated-doc/main/config/quarkus-all-config.adoc

@@ -51288,6 +51288,8 @@ a|icon:lock[title=Fixed at build time] [[quarkus-oidc_quarkus-keycloak-devservic
 --
 A comma-separated list of class or file system paths to Keycloak realm files. This list is used to initialize Keycloak. The first value in this list is used to initialize default tenant connection properties.
 
+To learn more about Keycloak realm files, consult the link:https://www.keycloak.org/server/importExport[Importing and Exporting Keycloak Realms documentation].
+
 
 ifdef::add-copy-button-to-env-var[]
 Environment variable: env_var_with_copy_button:+++QUARKUS_KEYCLOAK_DEVSERVICES_REALM_PATH+++[]
@@ -52487,7 +52489,7 @@ a| [[quarkus-oidc_quarkus-oidc-logout-backchannel-path]] [.property-path]##`quar
 
 [.description]
 --
-The relative path of the Back-Channel Logout endpoint at the application.
+The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -54475,7 +54477,7 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-logout-backchannel-path]] [.property-path]
 
 [.description]
 --
-The relative path of the Back-Channel Logout endpoint at the application.
+The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
 
 
 ifdef::add-copy-button-to-env-var[]

_generated-doc/main/config/quarkus-oidc_quarkus.keycloak.adoc

@@ -103,6 +103,8 @@ a|icon:lock[title=Fixed at build time] [[quarkus-oidc_quarkus-keycloak-devservic
 --
 A comma-separated list of class or file system paths to Keycloak realm files. This list is used to initialize Keycloak. The first value in this list is used to initialize default tenant connection properties.
 
+To learn more about Keycloak realm files, consult the link:https://www.keycloak.org/server/importExport[Importing and Exporting Keycloak Realms documentation].
+
 
 ifdef::add-copy-button-to-env-var[]
 Environment variable: env_var_with_copy_button:+++QUARKUS_KEYCLOAK_DEVSERVICES_REALM_PATH+++[]

_generated-doc/main/config/quarkus-oidc_quarkus.keycloak.devservices.adoc

@@ -99,6 +99,8 @@ a|icon:lock[title=Fixed at build time] [[quarkus-oidc_quarkus-keycloak-devservic
 --
 A comma-separated list of class or file system paths to Keycloak realm files. This list is used to initialize Keycloak. The first value in this list is used to initialize default tenant connection properties.
 
+To learn more about Keycloak realm files, consult the link:https://www.keycloak.org/server/importExport[Importing and Exporting Keycloak Realms documentation].
+
 
 ifdef::add-copy-button-to-env-var[]
 Environment variable: env_var_with_copy_button:+++QUARKUS_KEYCLOAK_DEVSERVICES_REALM_PATH+++[]

_generated-doc/main/config/quarkus-oidc_quarkus.oidc.adoc

@@ -1006,7 +1006,7 @@ a| [[quarkus-oidc_quarkus-oidc-logout-backchannel-path]] [.property-path]##`quar
 
 [.description]
 --
-The relative path of the Back-Channel Logout endpoint at the application.
+The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
 
 
 ifdef::add-copy-button-to-env-var[]
@@ -2994,7 +2994,7 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-logout-backchannel-path]] [.property-path]
 
 [.description]
 --
-The relative path of the Back-Channel Logout endpoint at the application.
+The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
 
 
 ifdef::add-copy-button-to-env-var[]

_versions/main/guides/extension-metadata.adoc

@@ -64,6 +64,9 @@ And here is the final version of the file included in the runtime JAR augmented
 ----
 name: "Quarkus REST (formerly RESTEasy Reactive)"
 artifact: "io.quarkus:quarkus-rest:999-SNAPSHOT"
+description: "A Jakarta REST implementation utilizing build time processing and Vert.x.\
+  \ This extension is not compatible with the quarkus-resteasy extension, or any of\
+  \ the extensions that depend on it." <1>
 metadata:
   short-name: "rest"
   keywords:
@@ -84,13 +87,13 @@ metadata:
     artifact: "io.quarkus:quarkus-project-core-extension-codestarts::jar:999-SNAPSHOT"
   config:
   - "quarkus.rest."
-  built-with-quarkus-core: "3.8.5" <1>
-  requires-quarkus-core: "[3.8,)" <2>
-  capabilities: <3>
+  built-with-quarkus-core: "3.8.5" <2>
+  requires-quarkus-core: "[3.8,)" <3>
+  capabilities: <4>
     provides:
     - "io.quarkus.rest"
     - "io.quarkus.resteasy.reactive"
-  extension-dependencies: <4>
+  extension-dependencies: <5>
   - "io.quarkus:quarkus-rest-common"
   - "io.quarkus:quarkus-mutiny"
   - "io.quarkus:quarkus-smallrye-context-propagation"
@@ -100,21 +103,18 @@ metadata:
   - "io.quarkus:quarkus-vertx-http"
   - "io.quarkus:quarkus-core"
   - "io.quarkus:quarkus-jsonp"
-description: "A Jakarta REST implementation utilizing build time processing and Vert.x.\
-  \ This extension is not compatible with the quarkus-resteasy extension, or any of\
-  \ the extensions that depend on it." <5>
-scm-url: "https://github.com/quarkusio/quarkus" <6>
-sponsor: A Sponsoring Organisation <7>
+  scm-url: "https://github.com/quarkusio/quarkus" <6>
+  sponsor: A Sponsoring Organisation <7>
 ----
-
-<1> Quarkus version the extension was built with
-<2> The Quarkus version range this extension requires. Optional, and will be set automatically by using the `built-with-quarkus-core` as the minimum range.
-<3> https://quarkus.io/guides/capabilities[Capabilities] this extension provides
-<4> Direct dependencies on other extensions
-<5> Description that can be displayed to users. In this case, the description was copied from the `pom.xml` of the extension module but it could also be provided in the template file.
+<1> Description that can be displayed to users. In this case, the description was copied from the `pom.xml` of the extension module but it could also be provided in the template file.
+<2> Quarkus version the extension was built with
+<3> The Quarkus version range this extension requires. Optional, and will be set automatically by using the `built-with-quarkus-core` as the minimum range.
+<4> https://quarkus.io/guides/capabilities[Capabilities] this extension provides
+<5> Direct dependencies on other extensions
 <6> The source code repository of this extension. Optional, and will often be set automatically by using the `<scm>` information in the pom. In GitHub Actions builds, it will be inferred from the CI environment. For other GitHub repositories, it can be controlled by setting a `GITHUB_REPOSITORY` environment variable.
 <7> The sponsor(s) of this extension. Optional, and will sometimes be determined automatically from commit history.
 
+
 [[quarkus-extension-properties]]
 == META-INF/quarkus-extension.properties
 

_versions/main/guides/security-csrf-prevention.adoc

@@ -126,8 +126,8 @@ At this stage no additional configuration is needed - by default the CSRF form f
 
 [source,properties]
 ----
-quarkus.csrf-reactive.form-field-name=csrftoken
-quarkus.csrf-reactive.cookie-name=csrftoken
+quarkus.rest-csrf.form-field-name=csrftoken
+quarkus.rest-csrf.cookie-name=csrftoken
 ----
 
 == Sign CSRF token
@@ -136,7 +136,7 @@ You can get `HMAC` signatures created for the generated CSRF tokens and have the
 
 [source,properties]
 ----
-quarkus.csrf-reactive.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
+quarkus.rest-csrf.token-signature-key=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
 ----
 
 [[csrf-request-header]]
@@ -151,18 +151,18 @@ If HTML `form` tags are not used and you need to pass CSRF token as a header, th
 ----
 <1> This expression is used to inject a CSRF token header and token. This token will be verified by the CSRF filter against a CSRF cookie.
 
-Default header name is `X-CSRF-TOKEN`, you can customize it with `quarkus.csrf-reactive.token-header-name`, for example:
+Default header name is `X-CSRF-TOKEN`, you can customize it with `quarkus.rest-csrf.token-header-name`, for example:
 
 [source,properties]
 ----
-quarkus.csrf-reactive.token-header-name=CUSTOM-X-CSRF-TOKEN
+quarkus.rest-csrf.token-header-name=CUSTOM-X-CSRF-TOKEN
 ----
 
 If you need to access the CSRF cookie from JavaScript in order to pass its value as a header, use `{inject:csrf.cookieName}` and `{inject:csrf.headerName}` to inject the cookie name which has to be read as a CSRF header value and allow accessing this cookie:
 
 [source,properties]
 ----
-quarkus.csrf-reactive.cookie-http-only=false
+quarkus.rest-csrf.cookie-http-only=false
 ----
 
 == Cross-origin resource sharing
@@ -255,11 +255,11 @@ As you can see a CSRF token verification will be required at the `/service/user`
 [source,properties]
 ----
 # Verify CSRF token only for the `/service/user` path, ignore other paths such as `/service/users`
-quarkus.csrf-reactive.create-token-path=/service/user
+quarkus.rest-csrf.create-token-path=/service/user
 
 # If `/service/user` path accepts not only `application/x-www-form-urlencoded` payloads but also other ones such as JSON then allow them
 # Setting this property is not necessary when the token is submitted as a header value
-quarkus.csrf-reactive.require-form-url-encoded=false
+quarkus.rest-csrf.require-form-url-encoded=false
 ----
 
 == Verify CSRF token in the application code
@@ -316,7 +316,7 @@ Also disable the token verification in the filter:
 
 [source,properties]
 ----
-quarkus.csrf-reactive.verify-token=false
+quarkus.rest-csrf.verify-token=false
 ----
 
 [[csrf-reactive-configuration-reference]]

_versions/main/guides/security-openid-connect-client-reference.adoc

@@ -1155,7 +1155,7 @@ quarkus.oidc-client.credentials.secret=secret
 quarkus.oidc-client.grant.type=exchange
 quarkus.oidc-client.grant-options.exchange.audience=quarkus-app-exchange
 
-quarkus.oidc-token-propagation.exchange-token=true <1>
+quarkus.resteasy-client-oidc-token-propagation.exchange-token=true <1>
 ----
 <1> Please note that the `exchange-token` configuration property is ignored when the OidcClient name is set with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute.
 
@@ -1173,10 +1173,10 @@ quarkus.oidc-client.grant.type=jwt
 quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of
 quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access
 
-quarkus.oidc-token-propagation.exchange-token=true
+quarkus.resteasy-client-oidc-token-propagation.exchange-token=true
 ----
 
-`AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation-reactive.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute.
+`AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.rest-client-oidc-token-propagation.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute.
 
 [[token-propagation]]
 == Token Propagation
@@ -1231,7 +1231,7 @@ public interface ProtectedResourceService {
 }
 ----
 
-Alternatively, `AccessTokenRequestFilter` can be registered automatically with all MP Rest or Jakarta REST clients if the `quarkus.oidc-token-propagation.register-filter` property is set to `true` and `quarkus.oidc-token-propagation.json-web-token` property is set to `false` (which is a default value).
+Alternatively, `AccessTokenRequestFilter` can be registered automatically with all MP Rest or Jakarta REST clients if the `quarkus.resteasy-client-oidc-token-propagation.register-filter` property is set to `true` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` property is set to `false` (which is a default value).
 
 ==== Exchange token before propagation
 
@@ -1245,7 +1245,7 @@ quarkus.oidc-client.credentials.secret=secret
 quarkus.oidc-client.grant.type=exchange
 quarkus.oidc-client.grant-options.exchange.audience=quarkus-app-exchange
 
-quarkus.oidc-token-propagation.exchange-token=true
+quarkus.resteasy-client-oidc-token-propagation.exchange-token=true
 ----
 
 If you work with providers such as `Azure` that link:https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#example[require using] link:https://www.rfc-editor.org/rfc/rfc7523#section-2.1[JWT bearer token grant] to exchange the current token, then you can configure `AccessTokenRequestFilter` to exchange the token like this:
@@ -1260,12 +1260,12 @@ quarkus.oidc-client.grant.type=jwt
 quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of
 quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access
 
-quarkus.oidc-token-propagation.exchange-token=true
+quarkus.resteasy-client-oidc-token-propagation.exchange-token=true
 ----
 
 Note `AccessTokenRequestFilter` will use `OidcClient` to exchange the current token, and you can use `quarkus.oidc-client.grant-options.exchange` to set the additional exchange properties expected by your OpenID Connect Provider.
 
-`AccessTokenRequestFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.oidc-token-propagation.client-name` configuration property.
+`AccessTokenRequestFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.resteasy-client-oidc-token-propagation.client-name` configuration property.
 
 === RestClient JsonWebTokenRequestFilter
 
@@ -1307,7 +1307,7 @@ public interface ProtectedResourceService {
 }
 ----
 
-Alternatively, `JsonWebTokenRequestFilter` can be registered automatically with all MicroProfile REST or Jakarta REST clients if both `quarkus.oidc-token-propagation.register-filter` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` properties are set to `true`.
+Alternatively, `JsonWebTokenRequestFilter` can be registered automatically with all MicroProfile REST or Jakarta REST clients if both `quarkus.resteasy-client-oidc-token-propagation.register-filter` and `quarkus.resteasy-client-oidc-token-propagation.json-web-token` properties are set to `true`.
 
 ==== Update token before propagation
 

_versions/main/guides/security-openid-connect-providers.adoc

@@ -207,7 +207,7 @@ In order to set up OIDC for GitHub you need to create a new OAuth application in
 
 image::oidc-github-1.png[role="thumb"]
 
-Make sure to fill in the appropriate details, but more importantly the Authorization Callback URL, set to `http://localhost:8080/_renarde/security/github-success`
+Make sure to fill in the appropriate details, but more importantly the Authorization Callback URL, set to `http://localhost:8080/_renarde/security/oidc-success`
 (if you intend to test this using the Quarkus dev mode).
 
 Now click on `Register application` and you'll be shown your application page: